杭州江阴科强工业胶带有限公司 https://securityaffairs.com/category/hacking Read, think, share … Security is everyone's responsibility Sun, 06 Oct 2024 21:04:02 +0000 en-US hourly 1 29506073 杭州江阴科强工业胶带有限公司 https://securityaffairs.com/169460/apt/salt-typhoon-hacked-us-broadband-providers.html Sun, 06 Oct 2024 21:04:00 +0000 https://securityaffairs.com/?p=169460

China-linked APT group Salt Typhoon breached U.S. broadband providers, potentially accessing systems for lawful wiretapping and other data.

China-linked APT group (also known as  and ) breached U.S. broadband providers, including Verizon, AT&T, and Lumen Technologies, potentially accessing systems for lawful wiretapping and other data.

According to the Wall Street Journal, which reported the news exclusively, the security breach poses a major national security risk. The WSJ states that the compromise remained undisclosed due to possible impact on national security. Experts believe that threat actors are aimed at gathering intelligence.

“A cyberattack tied to the Chinese government penetrated the networks of a swath of U.S. broadband providers, potentially accessing information from systems the federal government uses for court-authorized network wiretapping requests.” .

“For months or longer, the hackers might have held access to network infrastructure used to cooperate with lawful U.S. requests for communications data, according to people familiar with the matter, which amounts to a major national security risk.”

The group targeted surveillance systems used by the US government to investigate crimes and threats to national security, including activities carried out by nation-state actors.

The investigation into the breaches of the U.S. broadband providers is still ongoing, government experts are assessing its scope.

Experts suspect the state-sponsored hackers have gathered extensive internet traffic and potentially compromised sensitive data.

This attack is the latest incident linked to China’s expansive espionage strategies.

U.S. officials are increasingly concerned about Chinese cyber efforts to infiltrate critical infrastructure. Intelligence experts believe that security breaches like this could enable disruptive attacks during potential future conflicts.

The Salt Typhoon campaign is part of this broader strategy. Experts are still investigating the origins of the attack and whether threat actors compromised Cisco routers.

This week Wall Street Journal first  that experts are investigating the security breaches to determine if the attackers gained access to Cisco Systems routers, which are core network components of the ISP infrastructures.

A Cisco spokeswoman confirmed the investigation and said that “at this time, there is no indication that Cisco routers are involved” in the Salt Typhoon activity, the spokeswoman said.

“Hackers linked to the Chinese government have broken into a handful of U.S. internet-service providers in recent months in pursuit of sensitive information, according to people familiar with the matter.” Wall Street Journal .

“The hacking campaign, called Salt Typhoon by investigators, hasn’t previously been publicly disclosed and is the latest in a series of incursions that U.S. investigators have linked to China in recent years. The intrusion is a sign of the stealthy success  has had breaking into valuable computer networks in the U.S. and around the globe.”

China has long targeted global internet service providers and recent attacks are aligned with past operations linked to Beijing.

Intelligence and cybersecurity experts warn that Chinese nation-state actors have shifted from stealing secrets to infiltrate critical U.S. infrastructure, suggesting that they are now targeting the core of America’s digital networks.

The Salt Typhoon hacking campaign, linked to China, appears focused on intelligence gathering rather than crippling infrastructure, unlike the attacks carried out by another China-linked APT group called . Chris Krebs from SentinelOne suggested that the group behind Salt Typhoon may be affiliated with China’s Ministry of State Security, specifically the  group, which specializes in intelligence collection. This group was publicly called out by the U.S. and its allies for hacking activities in July.

Follow me on Twitter:  and  and Mastodon

(SecurityAffairs – hacking, Salt Typhoon)

]]>
169460
杭州江阴科强工业胶带有限公司 https://securityaffairs.com/169427/malware/security-affairs-malware-newsletter-round-14.html Sun, 06 Oct 2024 13:16:37 +0000 https://securityaffairs.com/?p=169427

Security Affairs Malware newsletter includes a collection of the best articles and research on malware in the international landscape.

Security Affairs Malware newsletter includes a collection of the best articles and research on malware in the international landscape.

  

  

  

       

 

      

****      

  

Follow me on Twitter: and and Mastodon

(SecurityAffairs hacking, malware)

]]>
169427
杭州江阴科强工业胶带有限公司 https://securityaffairs.com/169402/security/google-pixel-9-mitigates-baseband-attacks.html Sun, 06 Oct 2024 08:44:36 +0000 https://securityaffairs.com/?p=169402

Google announced that its Pixel 9 has implemented new security features, and it supports measures to mitigate baseband attacks.

Pixel phones are known for their strong security features, particularly in protecting the cellular baseband, which is the processor handling LTE, 4G, and 5G communications. While basebands in smartphones are often vulnerable to attacks due to performance constraints, Pixel has implemented security hardening measures for years. Google claims that the Pixel 9 implements the most secure baseband to date, addressing a critical attack vector exploited by researchers.

The cellular baseband manages a smartphone’s network connectivity and processes external inputs, including those from untrusted sources. In the past, researchers documented multiple attacks relying on to target mobile devices. Threat actors can remotely carry out these kinds of attacks through protocols like IMS.

“malicious actors can . In certain protocols like IMS (IP Multimedia Subsystem), this can be executed remotely from any global location using an IMS client.” reads .

Baseband firmware can be affected by vulnerabilities, making it a significant attack vector. Exploiting baseband bugs can lead to remote code execution.

Experts warn that most smartphone basebands lack exploit mitigations commonly used in software development. Zero-day brokers and can exploit these vulnerabilities to target mobile users and deploy malware like . Baseband exploits are frequently listed in exploit marketplaces with low payouts, indicating their abundance. In response, Android and Pixel have strengthened their Vulnerability Rewards Program, prioritizing the identification and resolution of connectivity firmware vulnerabilities.

Pixel has added proactive defenses over the years, key security measures implemented in the Pixel 9 series include:

  • Bounds Sanitizer: Prevents memory corruption by ensuring memory access stays within bounds.
  • Integer Overflow Sanitizer: Eliminates memory corruption from numeric overflows.
  • Stack Canaries: Detects and alerts the system to potential stack-related attacks.
  • Control Flow Integrity (CFI): Restricts code execution to approved paths, preventing unauthorized paths.
  • Auto-Initialize Stack Variables: Prevents vulnerabilities by automatically initializing stack memory to zero.

Additionally, bug detection tools like are used during testing to patch bugs before shipping.

“Security hardening is difficult and our work is never done, but when these security measures are combined, they significantly increase Pixel 9’s resilience to baseband attacks.” concludes the announcement. “Pixel’s proactive approach to security demonstrates a commitment to protecting its users across the entire software stack. Hardening the cellular baseband against remote attacks is just one example of how Pixel is constantly working to stay ahead of the curve when it comes to security.”

Follow me on Twitter:  and  and Mastodon

(SecurityAffairs – hacking, Google Pixel)

]]>
169402
杭州江阴科强工业胶带有限公司 https://securityaffairs.com/169328/hacking/dutch-police-breached-by-state-actor.html Thu, 03 Oct 2024 21:27:34 +0000 https://securityaffairs.com/?p=169328

The Dutch government blames a “state actor” for hacking a police system, exposing the contact details of all police officers, according to the justice minister.

The Dutch police blame a state actor for the recent data breach that exposed officers’ contact details, the justice minister told lawmakers.

The incident took place on September 26, 2024, and the police have reported the security breach to the Data Protection Authority.

Threat actors broke into a police system and gained access to work-related contact details of multiple officers. The attackers had access to names, emails, phone numbers, and some private information belonging to police officers.

“Last week it became known that a police account was hacked. Work-related contact details of police officers were stolen.” reads the data breach notice published by Dutch police. “Apart from the names of colleagues, it does not concern private data or research data. Specialists within the police are investigating the impact of the incident.”

The police state that internal cyber specialists are investigating the security breach and the investigation is still ongoing. The Dutch police announced that they have identified the attackers, however, they haven’t publicly attributed it to a specific actor.

“The police have been informed by the intelligence services that it is very likely a ‘state actor’, in other words: another country or perpetrators on behalf of another country.” reads the update on the data breach published by Dutch Polite. “Based on the information from the intelligence services, the police immediately implemented strong security measures against this attack. In order not to make the perpetrators any wiser and not to harm further investigation, no more can be said at this time.” 

Dutch intelligence agencies believe it is highly likely that a state actor was behind the recent police data breach. Justice Minister David van Weel assured lawmakers that police and national security partners are working to protect impacted officers and prevent further damage.

“Nine Kooiman, chair of the Netherlands Police Union, called the hack “a nightmare. It is now important to protect data, protect colleagues” and track down the perpetrators.” the Associated Press.

Follow me on Twitter:  and  and Mastodon

(SecurityAffairs – hacking, Dutch police)

]]>
169328
杭州江阴科强工业胶带有限公司 https://securityaffairs.com/169316/cyber-crime/4000-unpatched-adobe-commerce-and-magento-stores-hacked.html Thu, 03 Oct 2024 14:36:12 +0000 https://securityaffairs.com/?p=169316

Over 4,000 unpatched Adobe Commerce and Magento stores have been compromised by exploiting critical vulnerability CVE-2024-34102.

Sansec researchers reported that multiple threat actors have exploited a critical Adobe Commerce vulnerability, tracked as  (aka CosmicSting, CVSS score of 9.8), to compromise more than 4,000 e-stores over the past three months.

The flaw is an Improper Restriction of XML External Entity Reference (‘XXE’) vulnerability that could result in arbitrary code execution. An attacker could exploit this issue by sending a crafted XML document that references external entities. The experts pointed out that the exploitation of this issue does not require user interaction. The flaw impacts Adobe Commerce versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8 and earlier. Adobe warned that it is aware that CVE-2024-34102 has been exploited in the wild in limited attacks targeting Adobe Commerce merchants.

U.S. Cybersecurity and Infrastructure Security Agency (CISA) the vulnerability to its Known Exploited Vulnerabilities catalog in July 2024.

According to Sansec, CosmicSting (CVE-2024-34102) is the most severe bug impacting Magento and Adobe Commerce stores in two years, with hacks occurring at a rate of 3 to 5 per hour. Merchants are urged to implement countermeasures immediately.

An attacker can also chain the flaw with the vulnerability CVE-2024-2961 to run code arbitrary code on the underlying server and install backdoors.

“CosmicSting targets a critical bug in the Adobe Commerce and Magento platforms. Bad actors use it to read any of your files, such as passwords and other secrets. The typical attack strategy is to steal your secret crypt key from app/etc/env.php and use that to modify your CMS blocks via the Magento API. Then, attackers inject malicious Javascript to steal your customer’s data.” reads the advisory published by Sansec. “Combined with another bug (CVE-2024-2961), attackers can also run code directly on your servers and use that to install backdoors.”

The exploitation has a severe impact on e-commerce, the researchers reported that cybercriminals have hacked 5% of all Adobe Commerce and Magento stores this summer. The attacker also compromised e-stores of major organizations, including Ray-Ban, National Geographic, Cisco, Whirlpool and Segway. Sansec experts reported that at least seven distinct groups are exploiting the vulnerability CosmicSting to deploy e-skimmers on victim stores.

“Sansec research shows that seven different groups have been hacking into 4275 online stores since the publication of CVE-2024-34102 (also known as CosmicSting) on June 11th. Despite ongoing warnings, five percent of  Adobe Commerce and Magento stores ended up with a payment skimmer on their checkout page this summer.” reports Sansec.

Threat groups exploiting this vulnerability include Bobry, Polyovki (infecting over 650 stores), Surki, Burunduki, Ondatry, Khomyaki, and Belki. The Ondatry group compromised over 4,000 e-stores in 2022 using the TrojanOrder vulnerability, but they have now switched to CosmicSting.

Adobe issued a critical severity rating on July 8th after automated attacks began, stealing thousands of cryptographic keys. However, the experts noticed that updating systems didn’t automatically invalidate old keys, leaving stores vulnerable. Adobe provided a to remove old keys, but not all merchants followed it.

“Each group uses CosmicSting attacks to steal secret Magento cryptographic keys.” continues Sansec. “This key is then used to generate an API authorization token, enabling the attacker to access private customer data and insert payment skimmers into the checkout process through “CMS blocks” 

Administrators of Adobe Commerce and Magento e-store are recommended to upgrade their installations as soon as possible.

Follow me on Twitter:  and  and Mastodon

(SecurityAffairs – hacking, CVE-2024-34102)

]]>
169316
杭州江阴科强工业胶带有限公司 https://securityaffairs.com/169305/hacking/new-record-breaking-ddos-attack-3-8-tbps.html Thu, 03 Oct 2024 13:01:17 +0000 https://securityaffairs.com/?p=169305

Cloudflare recently mitigated a new record-breaking DDoS attack, peaking at 3.8 Tbps and 2.14 billion packets per second (Pps).

Cloudflare reported that starting from early September, it has mitigated over 100 hyper-volumetric L3/4 DDoS attacks, with many exceeding 2 billion Pps and 3 Tbps. The largest DDoS attack peaked at 3.8 Tbps, that is the highest ever publicly disclosed.

“Cloudflare’s defenses mitigated over one hundred hyper-volumetric L3/4 DDoS attacks throughout the month, with many exceeding 2 billion packets per second (Bpps) and 3 terabits per second (Tbps). The largest attack peaked 3.8 Tbps — the largest ever disclosed publicly by any organization. Detection and mitigation was fully autonomous” reads the published by Cloudflare.

The company pointed out that it has detected and mitigated the attack with its automated processes.

The scale and frequency of recent DDoS attacks are unprecedented, with experts warning they could overwhelm unprotected internet infrastructure.

The campaign that started in September targets the financial, internet, and telecom industries. The DDoS attacks predominantly use UDP traffic originated from compromised devices globally, with major sources in Vietnam, Russia, Brazil, Spain, and the US.

The experts noticed that high packet rate attacks is generated from compromised MikroTik devices, DVRs, and web servers, while high bitrate attacks are linked to compromised ASUS routers, likely exploited via a (, CVSS score of 9.8) in ASUS routers.

The previous record-breaking volumetric DDoS attack was reported by Microsoft in late 2021, peaking at with a packet rate of 340 million Pps. The largest attack previously seen by Cloudflare peaked at .

“The scale and frequency of these attacks are unprecedented. Due to their sheer size and bits/packets per second rates, these attacks have the ability to take down unprotected Internet properties, as well as Internet properties that are protected by on-premise equipment or by cloud providers that just don’t have sufficient network capacity or global coverage to be able to handle these volumes alongside legitimate traffic without impacting performance.” concludes Cloudflare. “Cloudflare, however, does have the network capacity, global coverage, and intelligent systems needed to absorb and automatically mitigate these monstrous attacks.”

Follow me on Twitter:  and  and Mastodon

(SecurityAffairs – hacking, DDoS attack)

]]>
169305
杭州江阴科强工业胶带有限公司 https://securityaffairs.com/169279/security/u-s-cisa-adds-ivanti-epm-flaw-known-exploited-vulnerabilities-catalog.html Wed, 02 Oct 2024 19:29:45 +0000 https://securityaffairs.com/?p=169279

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Ivanti Endpoint Manager (EPM) vulnerability to its Known Exploited Vulnerabilities catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA)  the Ivanti Virtual Traffic Manager authentication bypass vulnerability (CVSS score of 9.6) to its .

In May, Ivanti security patches to address multiple critical vulnerabilities in the Endpoint Manager (EPM), including CVE-2024-29824.

The vulnerability is an unspecified SQL Injection issue in Core server of Ivanti EPM 2022 SU5 and prior. An unauthenticated attacker within the same network could exploit the vulnerability to execute arbitrary code.

At the time of its disclosure, the company reported that it was not aware of attacks in the wild exploiting the vulnerability.

According to , FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts also recommend private organizations review the  and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to fix this vulnerability by October 23, 2024.

Follow me on Twitter:  and  and Mastodon

(SecurityAffairs – hacking, )

]]>
169279
杭州江阴科强工业胶带有限公司 https://securityaffairs.com/169239/hacking/zimbra-postjournal-flaw-cve-2024-45519-exploited.html Wed, 02 Oct 2024 09:21:33 +0000 https://securityaffairs.com/?p=169239

Threat actors attempt to exploit recently disclosed vulnerability CVE-2024-45519 in Synacor’s Zimbra Collaboration.

Proofpoint cybersecurity researchers reported that threat actors are attempting to exploit a recently disclosed vulnerability, tracked as CVE-2024-45519, in Synacor’s Zimbra Collaboration.

Starting on September 28, 2024, threat actors have been attempting to exploit the issue to achieve remote code execution on vulnerable instances.

Threat actors started exploring the vulnerability after the cybersecurity firm Project Discovery released technical details of the vulnerability and PoC exploit code.

“Zimbra, a widely used email and collaboration platform, recently released a critical security update addressing a severe vulnerability in its postjournal service. This vulnerability, identified as CVE-2024-45519, allows unauthenticated attackers to execute arbitrary commands on affected Zimbra installations.” reads a blog post published by Project Discovery. “In this blog post, we delve into the nature of this vulnerability, our journey in analyzing the patch, and the steps we took to exploit it manually. “

The vulnerability CVE-2024-45519 is a remote code execution vulnerability in Zimbra mail servers that was discovered by the security researcher lebr0nli (Alan Li).  released on September 4, 2024 address the vulnerability.

The attackers spoofed Gmail, sending emails with base64 strings to be executed by Zimbra servers. The same server is used to send exploit emails and host second-stage payloads. The experts have yet to identy the threat actor behind this campaign.

“Beginning on September 28, began observing attempts to exploit CVE-2024-45519, a remote code execution vulnerability in Zimbra mail servers. The emails spoofing Gmail were sent to bogus addresses in the CC fields in an attempt for Zimbra servers to parse and execute them as commands. The addresses contained base64 strings that are executed with the sh utility.” Proofpoint on X. “For unknown reasons, the threat actor is using the same server to send the exploit emails and host second-stage payloads. The activity is unattributed at this time.”

Some emails from the same sender used CC’d addresses to attempt building a webshell on vulnerable Zimbra servers. The attackers wrapped the full CC list in a string, and concatenating the base64-encoded blobs, they decode to a command to write a webshell to the following URL: /jetty/webapps/zimbraAdmin/public/jsp/zimbraConfig.jsp.

Once the webshell is deployed, it listens for connections with a specific JSESSIONID cookie and parses the JACTION cookie for base64 commands. The webshell can execute commands or download and run files via a socket connection.

The availability of a PoC exploit exposes users to the risk of attacks, it is strongly recommended to apply the latest versions as soon as possible.

Follow me on Twitter:  and  and Mastodon

(SecurityAffairs – hacking, Zimbra)

]]>
169239
杭州江阴科强工业胶带有限公司 https://securityaffairs.com/169225/cyber-crime/new-arrests-linked-to-lockbit-ransomware-group.html Wed, 02 Oct 2024 07:00:01 +0000 https://securityaffairs.com/?p=169225

An international police operation led to the arrest of four individuals linked to the LockBit ransomware group, including a developer.

Europol, the UK, and the US law enforcement authorities announced a new operation against the ransomware gang. The police arrested an alleged LockBit developer at France’s request while vacationing outside Russia and two individuals in the UK for supporting a LockBit affiliate. In Spain, the local police arrested the administrator of a bulletproof hosting service, they also seized nine servers belonging to the group’s infrastructure.

“Europol supported a new series of actions against LockBit actors, which involved 12 countries and Eurojust and led to four arrests and seizures of servers critical for LockBit’s infrastructure.” reads the press release published by Europol. “A suspected developer of LockBit was arrested at the request of the French authorities, while the British authorities arrested two individuals for supporting the activity of a LockBit affiliate.”

The arrests and sanctions are part of the third phase of the law enforcement operation code-named conducted by law enforcement bodies from 12 countries, Europol, and Eurojust. The operation aims at dismantling the LockBit ransomware group. This follows the in February 2024 and further actions against its administrators in May and beyond.

Europol, the UK and the US published press releases on the formed Tor leak site used by the ransomware gang.

Australia, the UK, and the US imposed sanctions on a key LockBit affiliate who is linked to the cybercrime group .

“Aleksandr Ryzhenkov DOB 26/05/1993 has been unmasked by the NCA as the specific member of Evil Corp who is a LockBit affiliate. Ryzhenkov used the affiliate name Beverley, made over 60 LockBit ransomware builds and sought to extort at least $100 million from victims in ransom demands. Ryzhenkov additionally has been linked to the alias mx1r and associated with UNC2165 (an evolution of Evil Corp affiliated actors).” reads the NCA’s announcement.

The UK also sanctioned 15 Russian citizens for ties to Evil Corp, while the US authorities sanctioned six, and Australia sanctioned two.

LockBit gang has been active since 2019, the list of victims is long and includes major organizations such as , and the . Over the years, law enforcement has arrested multiple individuals involved in the gang’s operation, including , , and .

Astamirov was arrested in Arizona in June 2023 and . Vasiliev, who was extradited to the United States in June, has already been .

Follow me on Twitter:  and  and Mastodon

(SecurityAffairs – hacking, Europol)

]]>
169225
杭州江阴科强工业胶带有限公司 https://securityaffairs.com/169198/cyber-crime/umc-health-system-cyberattack.html Tue, 01 Oct 2024 18:00:18 +0000 https://securityaffairs.com/?p=169198

US healthcare provider UMC Health System had to divert patients due to a network outage caused by a ransomware attack.

On September 27, 2024, US healthcare provider UMC Health System announced an investigation into an IT outage across its network. UMC diverted patients for several days after taking IT systems offline following a ransomware attack.

“However, out of an abundance of caution, we will continue to temporarily divert incoming emergency and non-emergency patients via ambulance to nearby health facilities until this issue is resolved. We are making accommodations wherever possible to minimize any disruption to our patients and our critical services.” . “Our investigation into this incident remains ongoing and will take time to complete. In the meantime, we are standing up this dedicated webpage to provide the latest information. We will continue to provide updates via this site as services are restored and additional information becomes available.”

UMC Health System is a healthcare provider based in Lubbock, Texas. It operates University Medical Center, a major teaching hospital affiliated with Texas Tech University Health Sciences Center. UMC Health System provides a wide range of medical services, including emergency care, specialized surgeries, and comprehensive treatment programs. It serves as a regional medical center, offering both inpatient and outpatient care, and is known for its trauma center and advanced healthcare technologies.

The company announced that the healthcare facilities remain open across all access points including Emergency Centers and Urgent Care Clinics. UMC Clinics also remained open

The company launched an investigation into the security breach with the help of third-party cybersecurity experts. The hospital disconnected its systems from the Internet to contain the threat.

By Monday, the hospital restored some systems and services, but a few patients were still being diverted.

“Third parties that have helped other hospitals address similar issues have been engaged to assist in our response and investigation. Our teams are working around the clock to safely restore systems as quickly as possible.” concludes the notice.

“We appreciate your patience. It remains our mission and our goal to ensure our patients continue to receive the best care.”

The company did not provide details about the attack, such as the family of ransomware that hit the hospital. It’s unclear if threat actors had exfiltrated patients’ data during the attack

Healthcare infrastructure in the US continues to be under attack, in July, the Lockbit ransomware gang  the Fairfield Memorial Hospital in Illinois. Unfortunately, the ransomware group claimed the hack of other hospitals in the same period. The extortion group also claimed the hack of the Merryman House Domestic Crisis Center, and the Florida Department of Health.

In February the  . The security incident severely impacted normal operations also causing the delay of medical care.

Lurie Children’s Hospital is one of the top pediatric hospitals in the United States.

Follow me on Twitter:  and  and Mastodon

(SecurityAffairs – hacking, UMC)

]]>
169198